WordPress Plugin Vulnerabilities

Sticky Popup <= 1.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape and sanitise the popup_title setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed

Affects Plugins

Plugin icon
sticky-popup
No known fix

References

CVE
CVE-2022-1750

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Saeed Alzahrani
Verified
Yes
WPVDB ID
2e3774b9-bf29-484c-8456-c11bc711a106

Timeline

Publicly Published
2022-05-23 (about 3 years ago)
Added
2022-05-23 (about 3 years ago)
Last Updated
2023-02-19 (about 3 years ago)

Other

Published
Title
Published
2025-06-25
Title
Image Editor by Pixo < 2.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via download Parameter
Published
2025-09-22
Title
Maps for WP <= 1.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-07-24
Title
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
Published
2015-02-02
Title
WordPress Calls to Action <= 2.2.7 - Stored XSS
Published
2026-02-18
Title
Apollo13 Framework Extension < 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via `a13_alt_link` Parameter